Harden NixOS config defaults and setup guidance #4
@@ -63,7 +63,7 @@ Defaults are set in `flake.nix` and used across modules. Update them there:
|
||||
| `time.timeZone` | `America/New_York` | `modules/common.nix` |
|
||||
| `i18n.defaultLocale` | `en_US.UTF-8` | `modules/common.nix` |
|
||||
|
||||
Also rename the default `hosts/atlas/` directory to match your actual hostname, and ensure the same hostname is set in `flake.nix`.
|
||||
Also rename the default `hosts/atlas/` directory to match your actual hostname, and ensure the same hostname is set in `flake.nix` (the flake uses it to locate `hosts/<hostname>/hardware-configuration.nix`).
|
||||
|
||||
### 3. Stage Files in Git
|
||||
|
||||
|
||||
@@ -41,7 +41,8 @@
|
||||
username = "pinj";
|
||||
lib = nixpkgs.lib;
|
||||
hostConfig = ./hosts + "/${hostname}/hardware-configuration.nix";
|
||||
specialArgs = { inherit inputs system hostname username; };
|
||||
passwordHashPath = "/etc/nixos/secrets/${username}/password.hash";
|
||||
specialArgs = { inherit inputs system hostname username passwordHashPath; };
|
||||
|
|
||||
|
||||
# Verify mango flake exports the expected module
|
||||
mangoModule = assert lib.hasAttrByPath [ "nixosModules" "mango" ] mango;
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{ config, pkgs, inputs, system, hostname, username, ... }:
|
||||
{ config, pkgs, inputs, system, hostname, username, passwordHashPath, ... }:
|
||||
|
||||
{
|
||||
assertions = [
|
||||
@@ -118,7 +118,7 @@
|
||||
extraGroups = [ "wheel" "networkmanager" "video" "seat" ];
|
||||
# IMPORTANT: Generate a password hash with: mkpasswd -m sha-512
|
||||
# Save it to the path below (ensure permissions are 600)
|
||||
hashedPasswordFile = "/etc/nixos/secrets/${username}/password.hash";
|
||||
hashedPasswordFile = passwordHashPath;
|
||||
packages = with pkgs; [
|
||||
# -- Noctalia Shell --
|
||||
inputs.quickshell.packages.${system}.default
|
||||
|
||||
Reference in New Issue
Block a user
The username validation regex allows usernames that consist only of underscores followed by other characters (e.g., "___abc"), but the second check
builtins.match "^_+$" username == nullonly rejects usernames that are entirely underscores. According to standard Unix username conventions, usernames starting with underscore are typically reserved for system accounts. Consider strengthening the validation to reject any username starting with underscore unless that's intentionally allowed for system accounts.